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ABSTRACT 


The  U.S.  stockpile  of  chemical  munitions  stored  at  various 
locations  in  the  Continental  United  States  (CONUS)  is  scheduled 
to  be  thermally  demilitarized  under  the  supervision  of  the  U.S. 
Army  Chemical  Stockpile  Disposal  Program  (CSDP) .  This  paper 
describes  a  fire  risk  assessment  (FRA)  performed  under  the  system 
hazard  Analysis  (SHA)  task  for  the  initial  CSDP  facility.  The 
fire  risk  methodology  used  in  the  assessment  is  adopted  from  the 
methodology  developed  for  nuclear  power  plant  fire  risk 
assessment.  The  task  of  fire  risk  assessment  consists  of  three 
phases:  (1)  preparation,  (2)  fire  risk  assessment,  and  (3)  fire 
risk  management.  Design  recommendations  were  formulated  based  on 
the  findings  of  the  FRA  to  reduce  the  fire-induced  risk  and  to 
improve  safety-system  reliability.  The  FRA  presented  in  this 
paper  proved  to  be  a  very  useful  tool  in  supporting  the  facility 
fire  protection  system  design.  It  is  also  proved  to  be  an 
important  portion  of  the  system  hazard  analysis  task  to  assess 
the  potential  of  agent  release  and  equipment  damage  from  fire. 
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1 .  INTRODUCTION 
1.1  BACKGROUND 


The  U.S.  Department  of  Defense  (DOD)  has  been  directed  by 
Congress  in  the  DOD  Authorization  Act  of  198  6  (as  amended  by 
Public  Law  100-456)  to  destroy  the  nation's  stockpile  of  lethal 
unitary  chemical  warfare  agents  and  munitions.  The  stockpile 
consists  of  nerve  agents  (GB  and  VX)  and  a  blister  agent 
(H/HD/HT,  or  mustard)  in  bulk  storage  containers,  bombs,  rockets, 
mines,  projectiles,  and  mortar  rounds  stored  at  eight  locations 
in  the  Continental  United  States  (CONUS) ,  in  Europe,  and  at 
Johnston  Atoll  in  the  Pacific  Ocean. 

Because  of  the  hazards  associated  with  handling  of  these 
lethal  unitary  chemical  warfare  agents  and  munitions.  Congress 
directed  that  the  destruction  be  accomplished  in  such  a  manner  as 
to  provide:  (1)  maximum  protection  of  the  environment,  the 
general  public,  and  the  personnel  who  will  be  involved  in  the 
demilitarization  operations?  (2)  adequate  and  safe  facilities 
designed  solely  for  the  destruction  of  the  lethal  chemical 
stockpile;  and  (3)  cleanup,  dismantling,  and  disposal  of  the 
facilities  (i.e.,  decommissioning)  when  the  disposal  program  is 
complete.  Early  in  the  CSDP,  a  System  Safety  Program  Plan  (SSPP) 
[Ref.  1]  was  developed  to  ensure  that  all  of  the  project  safety 
goals  would  be  met  in  the  various  project  stages,  including 
design,  construction,  and  testing.  The  system  hazard  analysis 
(SHA)  ,  is  one  of  the  key  elements  in  the  SSPP  during  the  final 
design  stage  of  the  program. 

A  fire  can  either  cause  an  accident  or  reduce  the  plant's 
margin  of  safety.  A  fire  can  damage  equipment  which  is  needed  to 
safely  operate  the  demilitarization  processes  and  to  prevent 
release  of  agent  vapor  from  toxic  areas  during  normal  or  abnormal 
operations.  Apart  from  hardware  failure,  crucial  equipment  in 
the  facility  can  also  be  damaged  by  fire,  flooding,  or  other 
causes.  Recent  risk  studies  [Refs.  2  through  4]  have  concluded 
that  fires  can  be  important  contributors  to  public  health  risk. 
The  adverse  effects  of  fire  on  plant  safety  are  further 
demonstrated  by  the  well-known  cable-spreading-room  fire  at 
Browns  Ferry  Nuclear  Power  Plant  [Ref.  5],  Therefore,  fires 
present  a  substantial  risk  to  the  system  safety;  a  fire  risk 
assessment  was  performed  for  a  CSDP  facility  as  a  part  of  the  SHA 
to  meet  the  SSPP  requirement. 


1.2  FIRE  RISK  ASSESSMENT 

Investigation  of  fire  risk  requires  the  application  of 
probabilistic  risk  assessment  (PRA)  technology  to  qualitatively 
and  quantitatively  assess  the  probability  of  fire  occurrence 
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rate,  fire  protection  system  (FPS)  unavailability,  and  fire 
induced  damage  probability. 

The  key  segments  in  the  FRA  are:  assess  fire  frequency, 
evaluate  fire  damage  probability,  assign  Risk  Assessment  Codes 
(RAC)  to  current  design,  and  provide  risk  management 
recommendations.  Event-tree/fault-tree  methodology  is  applied  to 
determine  the  probability  of  occurrence  for  the  selected  accident 
scenarios.  Consequences  of  the  accident  scenarios  are  assessed 
via  the  loss  of  critical  safety  equipment  and  the  estimate  of 
agent  release. 


2.  TECHNICAL  APPROACH 

The  FRA  adapts  the  general  methodology  that  has  been 
developed  for  fire  risk  assessments  performed  for  nuclear  power 
plants.  The  methodology  combines  ^engineering  judgment, 
statistical  evidence,  fire  phenomenology,  and  plant  system 
analysis  to  systematically  quantify  the  risk  of  fires  to  the 
operation  in  the  facility. 


2 . 1  OVERALL  PLAN  OF  APPROACH 

The  overall  approach  for  the  FRA  work  is  illustrated  in 
Figure  2-1.  The  figure  identifies  the  three  main  phases  of  the 
analysis,  each  of  which  involves  several  work  activities: 

Phase  1:  Preparation:  (a)  plant  design  familiarization,  (b) 
identification  of  engineered  safety  functions  (ESFs) , 
and  (c)  database  development. 

Phase  2:  Fire  Risk  Assessment:  (a)  identification  of  critical 
locations  and  components  and  credible  fire  scenarios, 
(b)  estimation  of  fire'  frequency,  (c)  estimation  of 
fire-growth  times  and  competing  fire-detection  and 
suppression  time,  (d)  assessment  of  FPS  unavailability, 

(e)  assessment  of  fire-induced  damage  probability,  and 

(f)  evaluation  of  total  fire  risk. 

Phase  3:  Fire  Risk  Management:  (a)  design  confirmation,  and  (b) 
fire  risk  reduction  recommendations. 
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a.  Design  familiarization 

b.  Identification  of  engineered 
safety  functions 

c.  Database  development 


a.  Identification  of  critical 
locations 

b.  Estimation  of  fire  frequency 

c.  Estimation  of  fire  growth  and 
hazard  times 

d.  Assessment  of  FPS  unavailability 

e.  Assessment  of  fire-induced  damage 
probability 

f.  Evaluation  of  total  fire  risk 

a.  Design  confirmation 

b.  Risk  reduction  recommendations 


Figure  2-1  -  Overall  Approach  of  the  FRA 
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2.2  PREPARATION 

The  occurrence  of  fires  and  their  effects  on  the  facility 
plant  safety  are  very  complex  issues  that  require  detailed  design 
information.  Documentation  such  as  plant  layout  drawings, 
process  flow  diagrams  (PFDs) ,  piping  and  instrumentation  diagrams 
(P&IDs),  system  descriptions,  technical  specifications,  and  other 
supporting  engineering  calculations  was  collected  during  the 
initial-  phase  of  the  FRA.  _  During  this  preparation  phase, 
engineers  from  various  disciplines^  -  design,  process 
instrumentation  and  fire  protection  -  were  consulted  for  correct 
interpretation  of  the  drawings  and  processes . 

Theoretically,  an  FRA  should  study  all  the  potential 
contributors  to  the  risk  of  agent  release  associated  with  fires 
anywhere  in  the  facility .  By  screening  out  less  important 
scenarios,  however,  the  amount  of  work  required  can  be  greatly 
reduced  without  sacrificing  significant  confidence  in  the 
results.  To  accomplish  this  objective,  a  screening  criterion  is 
used  to  select  only  the  fire  scenarios  that  can  damage  engineered 
safety  ,  functions  (ESF) .  An  ESF  is  a  safeguard  designed  to 
prevent  agent  from  contaminating  the  nontoxic  areas  or  to 
mitigate  agent-release  accidents.  ESFs  were  identified  from  the 
PFDs,  P&IDs ,  SHA  [Ref.  6],  and  design  criteria  document.  The 
identification  of  the  ESFs  sets  forth  the  scope  of  the  FRA  and  is 
an  important  step  in  the  identification  of  critical  locations 
analyzed  in  the  following  phases  of  the  FRA. 


2 . 3  FCTLE  RISK  ASSESSMENT 

A  general  methodology  [Refs.  7  through  12]  for  the 
assessment  of  the  risk  associated  with  fires  has  been  developed 
and  applied  in  major  PRAs  [Refs.  13  through  16].  The  methodology 
addresses  many  aspects  of  a  fire  incident  (e.g.,  fire  ignition, 
progression,  detection  and  suppression,  or  characteristics  of 
materials  under  fire  conditions)  as  well  as  the  plant  safety 
functions  and  their  behavior  under  accident  conditions.  Although 
the  methodology  was  developed  primarily  for  the  evaluation  of  a 
nuclear  power  plant's  fire  risks,  it  can  be  applied  to  any 
complex  facility. 


2.3.1  -  Identification  of  Critical  Locations  and  Components 

A -location  is  classified  as  critical  when  the  occurrence  of 
a  fire  -there  has  the  potential  of  creating  an  abnormal  condition 
leading  to  the  damage  of  the  components  that  perform  the  ESFs 
(generally  known  as  critical  components)  directly  or  indirectly. 
The  critical  locations  are  identified  systematically  by  dividing 
the  facility  into  fire  areas.  A  fire  area  is  defined  as  an  area 
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bounded  by  firewalls.  Partitions  separated  from  each  other  by 
non-fire-rated  walls  within  a  fire  area  are  defined  as  a 
compartment.  Compartments  within  a  fire  area  are  usually  grouped 
into  fire  zones.  The  compartments  within  a  fire  zone  are  usually 
protected  by  the  same  FPS .  If  the  FPS  for  a  fire  zone  is  lost, 
the  fire-control  capability  is  said  to  be  lost  in  all 
compartments  within  the  same  zone.  The  critical  locations 
analyzed  were  selected  from  these  compartments  based  on  the 
amount  of  hazardous  material  and  combustibles  available  in  the 
locations,  the  significance  of  the  critical  ESF  equipment  within 
the  room,  the  consequences  of  losing  this  equipment,  and  the 
likelihood  of  fire  initiation  and  propagation. 


2.3.2  Definition  of  Fire  Scenarios 

Fire  scenarios  in  each  of  the  critical  locations  were 
postulated  in  order  to  conduct  the  risk  analysis.  These  scenarios 
include  different  sizes  of  fires  at  the  worst-case  locations.  A 
worst-case  location  is  that  where  a  fire  can  cause  the  most 
significant  damage  to  the  ESF  equipment.  Generally,  a  scenario 
includes  the  following  information:  the  size  of  the  fire,  the 
location  of  the  fire,  the  type  of  FPS,  the  equipment  (target) 
being  considered,  and  the  progression  of  the  fire  event.  The 
progression  of  a  fire  event  is  illustrated  in  Figure  2-2.  Three 
events  are  included:  (1)  the  automatic  FPS  is  available,  (2) 

fire  is  controlled  successfully  by  automatic  FPS,  and  (3)  fire  is 
controlled  successfully  by  manual  suppression.  The  first  event 
models  the  reliability  of  the  FPS,  if  present.  The  second  event 
models  the  speed  of  the  FPS,  and  the  third  event  models  the  speed 
of  the  manual-suppression  effort.  The  fire  event  will  lead  to  a 
damage  state  by  either  of  the  following  scenarios: 

(1)  The  automatic  FPS  is  fully  functional  as  designed;  however, 
the  FPS  cannot  control  the  fire  before  the  fire  damages  the 
ESF  equipment. 

(2)  The  automatic  FPS  is  not  functioning,  or  there  is  no 
automatic  fire-suppression  system  installed  in  the 
compartment.  Manual-suppression  effort  is  not  able  to 
control  the  fire  before  damage  occurs. 


2.3.3  Fire  Occurrence  Frequency 

Since  fire  occurrence  data  for  facilities  similar  to  the 
CSDP  operation  do  not  exist,  available  industrial  fire  experience 
and  engineering  judgment  were  used  to  approximate  the  frequency 
of  occurrence  of  fires  in  the  critical  locations.  A  methodology 
that  allows  such  an  approach  is  formulated  in  References  7  and  17 
through  21.  The  methodology  integrates  new  evidence  (including 
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imprecise  or  debatable  evidence)  into  the  state  of  knowledge  of 
the  frequency  of  fire  occurrence.  The  central  conceptual  tool  is 
Bayes'  Theorem  from  the  theory  of  probability.  This  theorem,  the 
fundamental  law  of  logical  inference,  is  the  ideal  tool  for 
quantitatively  assessing  the  significance  of  various  items  and 
forms  of  information.  Bayes1  Theorem  is  expressed  as  follows: 


K0(a)  *  L (E I  a) 

K (a  |  E)  =  - — - - -  (2-1) 

co 

K0(a)*  L(E|a)  da 
o 

where 

Ko(a)  =  probability  distribution  of  the  frequency  "a" 
prior  to  having  evidence  E  (prior  distribution) . 

L(Eja)  =  likelihood  function  (probability  of  the  evidence 
given  a) . 

K(a|E)  =  probability  density  function  of  a  given  evidence 
(the  posterior  distribution) . 


In  the  FRA,  the  frequency  of  fires  is  treated  as  a  random 
variable,  and  its  distribution  expresses  our  current  state  of 
knowledge  about  the  values  of  that  frequency.  The  prior 
distributions  developed  in  the  knowledge  process  are  generic. 
Since  there  are  no  historical  data  of  fire  occurrence  at  the  new 
facility,  the  prior  distribution  of  the  frequency  for  each  of  the 
critical  locations  is  almost  noninformative,  i.e.,  no  significant 
prior  knowledge  was  injected  into  the  analysis.  The  evidence  used 
in  the  analysis  was  derived  from  actual  nuclear  power  plant  fire 
incidents  as  reported  to  the  American  Nuclear  Insurers  (see  Table 
2-1).  Bayes'  Theorem  was  used  to  formally  incorporate  the 
experience  into  the  knowledge  of  the  frequencies. 

Based  on  the  form  of  data  available,  the  evidence  (Table  2- 
1)  is  best  modeled  as  a  Poisson  process.  Therefore,  the 
likelihood  function  is 


L(E|a) 


-a  T  (a  T)r 

e  - 

r  ! 


(2-2) 


where 

a  =  frequency  of  occurrence  used  to  model  the  process. 

T  =  number  of  relevant  years  of  operation, 

r  =  number  of  fires. 
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Table  2-1 


Statistical  Evidence  of  Fires  in  Light  Water 
Reactors  (As  of  June  1985)  [Ref.  21] 


Area 


Control  Room 
Cable  Spreading  Room 
Diesel  Generator  Room 
Reactor  Building 
Turbine  Building 
Auxiliary  Building 
Electrical  Switchgear  Room 
Battery  Room 


Number  of 

Number 

of 

Compartment 

Fires 

(r) 

Years  (T) 

3 

681.0 

2 

747.3 

37 

1600.0 

15 

847 . 5 

21 

654 . 2 

43 

673.2 

4 

1346.4 

4 

1346.4 
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To  facilitate  the  calculation,  the  gamma  family  of 
distributions,  which  is  conjugate  to  the  Poisson  distributions, 
was  chosen  to  represent  the  prior  distribution.  A  gamma 
distribution  is  expressed  as: 


a  a-1  -  b  a 

b  *  a  *  e 

G  (a)  =  - - -  (2-3) 

r  (a) 


where  a  and  b  are  the  parameters  of  the  distribution. 


For  the  noninformative  prior  distribution,  the  greatest 
ignorance  is  represented  by  setting  "A"  and  "b"  to  a  value  of 
zero.  In  the  FRA,  slightly  more  conservative  prior  distributions 
(a  and  b  >  0)  were  used  to  give  more  weight  to  the  values  of  "a" 
in  the  neighborhood  of  one  per  compartment-year.  The 
distributions  cover  a  wide  range  of  values  to  express  our  vague 
prior  knowledge.  Since  the  gamma  distributions  are  conjugate  with 
respect  to  the  Poisson  distribution,  the  posterior  distributions 
are  also  gamma  distributions,  with  parameters  a'  =  a  +  r  and 
b '  =  b  +  T . 

To  express  the  large  uncertainties  in  applying  the  generic 
distributions  obtained  from  nuclear  power  plant  experience  as  the 
evidence  for  the  facility  operation,  these  distributions  were 
further  broadened  to  express  the  uncertainties  in  the  application 
of  the  knowledge  [Ref.  19].  The  degree  of  broadening  depends  on 
the  differences  between  the  nuclear  experience  and  the  new 
facility  designs. 


2.3.4  Fire  Growth  Time  and  Competing  Fire-Detection  and 
Suppression  Time 

Figure  2-3  depicts  a  simplified  view  of  the  interactions  in 
a  compartment  fire  as  modeled  in  the  FRA.  A  fire  starts  and 
releases  energy  to  other  contents  in  the  room.  This  energy  causes 
the  gas  pressure  in  the  flame  zone  to  rise.  ,.The  products  of 
combustion,  with  temperature  higher  than  that  of  the  environment, 
are  driven  upward  by  buoyancy  forces.  A  hot,  turbulent  plume  is 
generated  and  begins  to  rise.  The  upward  momentum  of  the  plume 
depends  on  the  distance  between  the  fire  source  and  the  ceiling, 
the  fire  strength,  and  the  thermal  stratification  of  the  room. 
Along  the  axis  of  the  plume,  relatively  quiescent  air  at  ambient 
temperature  is  entrained  into  the  plume  and  mixes  with  the  plume 
gases  as  they  continue  their  ascent  toward  the  ceiling.  As  a 
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result  of  the  air  entrainment,  the  total  upward  mass  flux  in  the 
plume  continuously  increases  while  its  temperature  decreases. 
When  the  plume  gases  impinge  on  the  ceiling,  they  spread  and  form 
a  relatively  thin  turbulent  ceiling  jet.  As  this  hot  jet  moves 
radially  outward,  it  transfers  energy  by  convection,  conduction, 
and  radiation  to  the  ceiling,  causing  its  temperature  to  rise. 
This  ceiling  jet  also  sends  fire  signatures  to  the  ceiling- 
mounted  fire  detectors  and  sprinkler  nozzle  heads. 

When  the  ceiling  jet  is  blocked  by  the  room  boundaries,  it 
turns  downward  at  the  ceiling-wall  juncture,  thereby  initiating  a 
downward-directed  wall  jet.  This  wall  jet  is  of  higher 
temperature  and  lower  density  than  the  ambient  air  into  which  it 
is  being  driven.  The  wall  jet,  retarded  by  its  relative  negative 
buoyancy,  turns  upward  and  entrains  an  additional  amount  of 
cooler  air  from  the  lower  region  on  its  way  up.  Eventually,  a 
relatively  quiescent  upper  gas  layer,  called  the  hot  gas  layer, 
is  formed  below  the  continuing  jet  flow  activity.  Thus, 
stratified  regions  are  formed  as  the  fire  grows,  and  the  room  is 
divided  into  several  regions  with  distinct  thermal  boundaries. 
Objects  within  a  hot  gas  layer  will  be  subject  to  a  similar 
degree  of  convective  and  radiative  heat  transfer. 

Simple  fire  and  heat  transfer  models  and  correlations  were 
employed  to  predict  the  thermal  environment  as  a  function  of 
time.  The  thermal  response  of  various  targets  in  the  fire 
scenario  was  modeled  to  predict  the  amount  of  time  required  for 
a  fire  to  damage  or  ignite  critical  equipment. 

The  fire  growth,  detection,  and  suppression  processes  are 
time-competing  processes.  As  the  fire  heats  up  the  equipment  in 
the  room,  it  also  sends  fire  signatures  to  the  fire  detectors. 
The  fire  can  cause  damage  before  the  detection  system  can 
respond,  or  before  the  suppression  system  can  be  actuated.  These 
times  can  be  summarized  by  two  characteristic  time  factors,  Tq 
and  Th»  such  that  a  component  X  can  be  defined  to  be  damaged  due 
to  fire  if  TG  <  TH.  The  fire  growth  time,  TG,  is  defined  as  the 
time  it  takes  for  the  fire  to  propagate  to  X  and  damage  it.  The 
hazard  time,  Ty,  is  defined  as  the  total  fire  exposure  time 
during  which  X  can  be  damaged  by  the  fire.  The  conditional 
frequency  that  X  will  be  damaged,  given  that  the  fire  occurs,  can 
then  be  formulated  as 


Qx  =  Freq  {TG  <  TH  |  Fire} 


(2-4) 


where  Freq  {A|B}  denotes  the  frequency  of  occurrence  of  event  A 
conditioned  on  the  occurrence  of  event  B. 
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Equation  2-4  simply  says  that  the  damage  frequency  of  X, 
given  that  a  fire  has  occurred,  is  equal  to  the  frequency  of  the 
event  having  growth  time  smaller  than  the  hazard  time;  i.e.,  the 
time  to  damage  the  component  in  a  given  magnitude  of  a  fire  is 
shorter  than  the  time  it  takes  to  detect  and  suppress  the  fire. 

The  expression  (as  defined  in  Eq.  2-4)  is  usually  modeled  as 
an  exponential  process  [Refs.  8,  10,  and  11],  such  that; 


-  tg/th 

Qx  =  e  (2-5) 

The  probabilistic  distribution  of  Qx  is  obtained  by  combining  the 
distributions  of  Tq  and  Tjj  using  the  exponential  model.  For  each 
critical  location,  the  fire  growth  time,  TG,  is  estimated  using 
the  computer  code  COMPBRN  III  [Ref.  12J .  If  a  fire-protection 
system  is  available  in  the  location,  the  hazard  time,  Tjj,  is 
determined  by  the  reaction  of  fire-protection  systems  such  that 

TH  =  ^TD  +  Ts  (2-6) 

where  Tq  is  the  detection  time;  which  is  defined  to  include  not 
only  the  time  to  acknowledge  the  presence  of  the  fire,  but  also 
the  time  interval  following  acknowledgment  but  prior  to 
initiation  of  suppression  efforts.  Ts  is  the  suppression  time; 
i.e.,  the  time  required  to  extinguish  the  fire  after  the 
actuation  of  the  suppression  systems  (which  could  be  a  manual  or 
an  automatic  system) . 


2.3.5  Fire-Induced  Damage  Probability 

As  described  in  Figure  2-2,  each  fire  initiating  event  can 
have  two  scenarios  that  lead  to  equipment  damage  in  that 
location.  The  conditional  probability  of  equipment  damage,  Px, 
due  to  a  particular  event,  is  the  sum  of  the  probability  of 
occurrence  of  the  two  scenarios;  i.e.. 


px  (  1  -  U  )  *  Qauto  +  U  *  Qmanual  (2-7) 

where  - 

U  =  unavailability  of  the  FPS. 

Qauto  =  probability  of  fire-induced  damage  calculated  by  Eq. 

2-5  when  the  location  is  guarded  by  automatic  FPS 
and  the  FPS  fails  to  control  the  fire  before  damage. 
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Qmanual  =  probability  of  fire-induced  damage  calculated  by  Eq. 

2-5  when  manual  suppression  fails  to  control  fire 
before  damage. 


2.3.6  Total  Fire  Risk 

The  unconditional  probability  of  equipment  damage  due  to  a 
particular  fire  initiating  event  is  then  the  product  of  the  fire 
occurrence  frequency  and  the  conditional  probability  as  assessed 
from  the  event  tree.  The  probability  of  equipment  damage  in  a 
critical  location  is  the  sum  of  the  unconditional  probability  of 
all  events  developed  to  model  the  credible  damage  scenarios  in 
that  location.  The  total  fire  risk  is  equal  to  the  sum  of 
unconditional  probabilities  for  all  critical  locations  in  the 
facility. 


2.4  RISK  MANAGEMENT 


Risk  management  provides  design  confirmation  and 
recommendations  to  reduce  fire  risk,  if  necessary.  The  design  can 
be  confirmed  by  either  of  the  following: 


(1)  The  risk  of_  fire  occurrence  is  acceptable  so  that 
protective  measures  are  not  necessary. 


(2)  The  existing  fire  protection  capabilities  are  adequate  to 
prevent  agent  release  due  to  fires. 


The  FRA  utilizes  the  Risk  Assessment  Code  (RAC)  system  to 
evaluate  the  risk  associated  with  individual  critical  areas.  The 
RACs,  are  based  on  a  combination  of  probability  and  severity,  as 
delineated  and  approved  in  the  CSDP  Safety  System  Program  Plan 
[Ref.  1].  For  locations  where  the  fire  risk  (RAC  number)  was 

found  to  be  unacceptable,  recommendations  are  provided  to  reduce 

such  risk.  Figure  2-4  describes  the  various  hazards  and  control 
measures  in  fire  risk  management.  The  control  measures  are  used 
to  break  down  the  "fire  triangle"  so  that  combustion  cannot  be 
sustained.  In  general,  the  likelihood  of  component  damage  can  be 
reduced  by  : 

(1)  Slowing  down  the  fire  growth  rate,  e.g.,  by  reducing 

combustible  loading  in  rooms,  or  by  installing  fire 
barriers . 

(2)  Speeding  the  fire  detection  and  suppression 

capabilities.  Different  types  of  fire  detectors  may  be 
used  to  provide  a  faster  response  time,  or  to  reduce  the 
false  alarm  rate.  Installation  of  automatic  fire 
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suppression  systems  may  be  necessary  in  locations  where 
manual  suppression  capability  is  limited. 

(3)  The  risk  of  common-cause  failures  due  to  fire  can  be 
reduced  by  increasing  the  redundancy  of  important 
equipment,  and  positioning  the  redundant  components  in 
independent  areas  so  that  single-mode  and  single-cause 
failure  are  virtually  impossible. 


3.  FIRE  RISK  ASSESSMENT 


3 . 1  SELECTION  OF  CRITICAL  LOCATIONS  AND  COMPONENTS 

There  are  two  main  objectives  in  selecting  critical 
locations.  The  first  objective  is  to  ensure  that  all  important 
locations  are  analyzed.  This  may  lead  to  the  consideration  of  a 
potentially  large  number  of  candidate  locations.  The  second 
objective  is  to  minimize  the  effort  spent  in  quantifying  the  fire 
risk  in  unimportant  locations.  These  two  objectives  are 
counteractive  to  each  other  and  must  be  balanced  in  a  meaningful 
FRA. 


In  order  to  account  for  all  important  locations  and  identify 
the  critical  locations  systematically,  the  following  information 
was  obtained: 

(1)  The  ESFs  that  are  designed  to  safeguard  against  agent 
release  from  the  demilitarization  processes. 

(2)  The  critical  equipment  that  performs  these  ESFs. 

(3)  The  locations  of  this  critical  equipment  and  its  control 
and  power  cable  routes. 

(4)  The  fire  areas  that  contain  this  critical  equipment. 

The  critical  locations  were  then  selected  based  on  the 
following  criteria: 

(1)  The  amount  of  critical  equipment  in  a  fire  area. 

(2)  The  presence  of  combustibles  in  the  area. 

(3)  The  potential  of  rapid  fire  growth,  extinguishment  delay, 
and  equipment. 

(4)  Locations  identified  from  previous  studies  (e.g.,  the  SHA 
[Ref.  6]). 

(5)  The  estimated  frequency  of  fire  occurrence  and  its 
consequences  in  these  locations. 
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This  screening  process  optimizes  the  effort  in  performing 
the  FRA.  However,  the  analysis  does  not  indicate  that  other 
locations  in  the  facility  that  are  not  in  this  list  are 
absolutely  free  from  fire  risks.  The  critical  locations  chosen  in 
the  FRA  are  dominant  to  other  areas  in  terms  of  the  probability 
and  consequences  of  fire  occurrence. 

The  CSDP  facility  contains  the  basic  process  equipment  and 
control  systems  necessary  to  disassemble,  punch,  and  drain 
munitions  and  bulk  items;  to  incinerate  agent ,  other  liquid,  and 
solid  waste;  and  to  decontaminate  munition  bodies  and  other  metal 
items.  The  facility  also  provides  critical  services  to  the 
personnel  operating  and  maintaining  the  process  equipment  [Ref. 
22].  ESFs  are  incorporated  to  safeguard  these  areas  of  operation 
by  preventing  propagation  of  agent  from  toxic  areas  to  less-toxic 
or  nontoxic  areas.  The  functions  identified  as  ESFs  include  the 
cascaded  ventilation  systems,  containment  protection,  HVAC 

filtration,  liquid  agent  removal,  decontamination,  control  and 
power  supply,  and  fire  protection. 

The  ESFs,  when  needed,  will  be  performed  by  the 
corresponding  safety  equipment.  This  safety  equipment, 
coordinated  with  corresponding  control  and  power  supply  units 
under  both  normal  and  off-normal  conditions,  is  designed  to 
prevent  agent  release  to  the  nontoxic  areas  and  to  mitigate  the 
consequences  following  agent-handling  mishaps.  Each  of  the  ESFs 
may  require  one  or  more  pieces  of  designated  equipment  to  carry 
out  its  function.  Table  3-1  shows  the  selected  ESFs,  critical 
components  and  their  locations. 


3 .2  ESTIMATION  OF  FIRE  OCCURRENCE  FREQUENCY 

The  probability  distributions  for  the  fire-occurrence 
frequency  at  the  critical  locations  were  assessed  by  applying 
Bayes'  Theorem.  Data  compiled  from  industrial  plant  experience 
(Table  2-1)  are  treated  as  evidence  and  modeled  by  the  likelihood 
functions.  The  posterior  distributions  for  the  fire-occurrence 
frequency  in  each  of  the  critical  locations  were  developed  using 
noninformative  prior  distributions.  The  posterior  distributions 
were  analyzed  and  modified  with  justification  to  closely  reflect 
the  difference  between  the  analyzed  facility  design  and  the 
evidence. 


3 . 3  AREA  DESCRIPTION 


An  area  description  is  based  on  reviewing  the  design 
drawings  to  identify  the  location  of  postulated  ignition  pilot 
fire,  fuel  elements,  room  openings,  room  dimensions,  and 
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locations  of  critical  equipment.  The  area  information  is  used 
for  the  COMPBRN  III  fire  growth  model. 


3 . 4  FPS  CHARACTERISTICS 

Fire  protection  characteristics  include  the  description  of 
the  fire-rated  walls,  the  fire  detection  system,  detector 
locations,  zoning  and  spacing  of  the  detection  system,  control 
panel  type  and  location,  and  types  of  suppression  systems.  The 
information  collected  is  used  for  the  DETACT  computer  program  to 
calculate  the  detector  response  time  and  the  fire-suppression 
time. 


3 • 5  FPS  UNAVAILABILITY 


The  FPS  unavailability  refers  to  the  FPS  failure  unavailable 
on  demand.  Fault-tree  analysis  is  used  to  model  the  FPS.  The 
analysis  includes  both  the  manual  and  automatic  systems.  The 
analysis  includes  the  failure  rate  calculation  of  fire  detection 
system,  fire  panels,  and  fire  suppression  system.  The  CAFTA 
computer  workstation  [Ref.  23]  is  used  to  perform  the 
unavailability  analysis.  An  example  of  an  FPS  fault  tree  is 
shown  in  Figure  3-1. 


3 . 6  THERMAL-RESPONSE  EVALUATION 

The  thermal  response  evaluation  focuses  mainly  on  the 
critical  equipment  fire-damage- time  evaluation  for  a  given  fire. 
The  thermal  response  of  critical  equipment  is  best  estimated  by 
the  COMPBRN  III  computer  code. 


3.7  FIRE-HAZARD-TIME  ASSESSMENT 

Fire-hazard  time  is  equal  to  the  sum  of  the  detector- 
response  time  and  the  fire-suppression  time.  The  detector- 
response  time  is  the  time  from  the  fire  start  to  the  time  when 
detectors  send  signals  to  panels  and/or  fire  warning  systems. 
The  length  of  detector  response  time  depends  on  many  factors: 
detector  type,  the  type  and  size  of  fire,  and  the  spacing  of  the 
detectors.  The  detector-response  time  is  calculated  by  the 
DETACT  computer  code. 
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Table  3-1  -  ESF,  Critical  Components  and  their  Locations 


Critical 


Engineered  Safety  Functions 

Components 

Location 

1.  Cascaded  Ventilation  System 

Supply  Air  Blowers 

Mechanical  Equipment  Room 
Air  Handling  Room 

Battery  Room 

Switchgear  Room 

Electrical  Rooms 

Exhaust  Air  Blowers 

HVAC  Filter  Areas 

Air  Flow  Isolation  Dampers 

Various  Locations 

Instrument  Air  Compressors 

Mechanical  Equipment  Room 

2.  Containment  Protection 

DPE  Suits 

Various  Locations 

High  Curb 

Various  Locations 

Sloped  floor 

Various  Locations 

Enclosures 

Various  Locations 

3.  HVAC  Filtration 

Intake  Filters 

Mechanical  Equipment  Room 
Air  Handling  Room 

COH  Filter  Area 

Electrical  Rooms 

Battery  Room 

Switchgear  Room 

Exhaust  Filters 

HVAC  Filter  Areas 

ACAMS 

Monitor  Houses 

4.  Liquid  Agent  Removal 

Sumps 

Various  Locations 

Level  alarms 

Sumps 

Sump  Pumps 

Sumps 

Plant  Air  Compressors 

Equipment  Room 

5.  Decontamination 

Decon  Solution 

Various  Locations 

6.  Control  and  Power  Supply 

Instrument  Cables 

Various  Locations 

Power  Cables 

Various  Locations 

UPS  Power  Supply 

Battery  Room 

7.  Fire  Protection 

Fire  Detectors 

Various  Locations 

Fire  Control  Panels 

Various  Locations 

Halon  1301 

Halon  Room 

Dry  Chemical 

Obs.  Corridor  09-142 

Sprinkler  System 

UPA,  CHB 
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Figure  3-2  Fault  Tree  of  a  Fire  Protection  System 
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The  fire-suppression  time  depends  on  the  fire-suppression 
system  design,  the  availability  of  the  suppression 
system/equipment,  the  response  of  personnel,  and  accessibility  of 
the  area.  Suppression  time  of  the  automatic  FPS  can  be  estimated 
by  the  available  vendor  data  or  engineering  judgement.  The 
manual  suppression  time  will  depend  on  the  fire  size,  the 
experience  of  personnel,  and  availability  of  equipment. 
Engineering  judgement  is  commonly  used  to  estimate  the  manual 
suppression  time.  _ 

3 . 8  FIRE-INDUCED-DAMAGE  PROBABILITY 

The  fire-induced-damage  probability,  Qx,  of  a  piece  of 
critical  equipment  x  is  calculated  by  Eq.  2-5.  The  calculated 
fire-induced-damage  probability  is  the  probability  of  either  the 
automatic  FPS  or  manual  FPS  depends  on  the  area  design. 


3.9  UNCONDITIONAL  FIRE  RISK  _ 

The  unconditional  fire  risk  is  the  probability  of  fire 
damage  to  a  piece  of  critical  equipment  based  on  all  the  fire 
scenarios  in  the  area.  The  probability  is  the  sum  of  the  fire- 
induced-damage  probability  times  the  fire-occurrence  frequency 
for  the  scenario.  The  total  area  fire  risk  is  the  sum  of  all 
critical  equipment  damage  risks  in  the  area.  The  total  facility 
fire  risk  is  the  sum  of  all  the  area  fire  risks. 


3.10  DISCUSSION  AND  INTERPRETATION 

The  fire  risk  calculations  stated  above  show  the  parameters 
involved  in  the  calculations,  which  in  turn  determine  the  fire 
risk  of  a  critical  equipment.  The  fire  risk  of  the  area  is  the 
sum  of  the  fire  risk  of  all  the  critical  equipment  in  the  area. 
If  the  fire  risk  is  too  high,  risk  management  must  be  performed 
based  on  the  variation  of  the  crucial  parameters.  The  fire  risk 
analyst  must  interpret  the  results  to  FPS  designers  to  develop  an 
alternative  FPS  design.  If  the  design  change  is  not  feasible, 
stringent  operating  procedures  must  be  incorporated  in  the  plant 
standing  operating  procedures  _to  reduce  the  fire-occurrence 
frequency  and  to  reduce  the  fire-suppression  time. 


4.  CONCLUSION 

The  fire  risk  of  a  CSDP  facility  has  been  quantified  by 
applying  the  FRA  methodology  described  in  Section  2.  The 
methodology  combines  the  use  of  state-of-the-art  computer  codes, 
engineering  judgment,  relevant  industrial  experience,  and 
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numerical  analysis  techniques  to  evaluate  the  unconditional 
probability  of  fire  damages  in  various  critical  locations  of  the 
facility . 

As  discussed  in  Subsection  2.4,  the  results  of  the 
assessment  confirm  whether  the  design  is  within  the  acceptable 
safety  margins  by  comparing  the  risk  with  the  RACs.  In  locations 
where  the  fire  risks  are  found  to  be  unacceptable,  design 
recommendations  are  provided  to  reduce  such  risk  based  on  FRA  and 
FPS  designer  discussion.  These  recommendations  were  developed 
primarily  based  on  the  dominant  factors  in  the  FRA  to  reduce  the 
fire  hazard  time  (detection  and  suppression)  ,  increase  the  fire 
growth  time,  prevent  fire  propagation,  and  reduce  fire  occurrence 
frequency.  The  fire  risks  of  the  facility  were  re-evaluated 
based  on  the  FRA  recommendations. 

During  the  course  of  FRA,  it  was  found  that  a  small  fire  is 
as  important  as  big  fire.  This  is  because  small  fires  have  high 
occurrency  rates  and  they  can  damage  critical  equipment  before  or 
without  actuating  the  FPS.  The  ESFs  are  engineering-designed 
components  to  protect  the  facility  from  agent  release,  major 
equipment  damage,  and  personal  injury. 

The  quantitative  assessment  of  the  recommended  FRA  provides 
a  basis  for  fire-risk  management.  The  results  of  assessed  risk 
at  different  locations  can  be  used  as  priority  scales  to 
determine  where  the  risk  management  effort  should  be  focused. 
This  is  a  key  concept  of  risk  management. 
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